b'               The Chief Information Officer Is Taking Steps\n                 to Timely Complete Corrective Actions to\n                    Treasury Inspector General for Tax\n                          Administration Reports\n\n                                     April 2005\n\n                       Reference Number: 2005-20-071\n\n\n\n\nThis report has cleared the Treasury Inspector General for Tax Administration disclosure\nreview process and information determined to be restricted from public release has been\n                              redacted from this document.\n\n\nRedaction Legend:\n7 = Predecisional staff recommendations or suggestions to agency decision makers\n\x0c                                              DEPARTMENT OF THE TREASURY\n                                                    WASHINGTON, D.C. 20220\n\n\n\n\nINSPECTOR GENERAL\n     for TAX\n  ADMINISTRATION\n\n\n\n\n                                                        April 11, 2005\n\n\n\n      MEMORANDUM FOR CHIEF INFORMATION OFFICER\n\n\n\n      FROM:                          Pamela J. Gardiner\n                                     Deputy Inspector General for Audit\n\n      SUBJECT:                       Final Audit Report - The Chief Information Officer Is Taking\n                                     Steps to Timely Complete Corrective Actions to Treasury\n                                     Inspector General for Tax Administration Reports\n                                     (Audit # 200520028)\n\n\n\n      This report presents the results of our review of Modernization and Information\n      Technology Services (MITS) open corrective actions. Our overall objective was to\n      determine whether the Internal Revenue Service (IRS) is efficiently addressing open\n      corrective actions resulting from Treasury Inspector General for Tax Administration\n      (TIGTA) audit recommendations. In October 2004, the Chief Information Officer (CIO)\n      expressed concerns regarding the number of open corrective actions and requested\n      that we perform a review of the MITS organization\xe2\x80\x99s open corrective actions.\n      In summary, since Fiscal Year 2000, we have issued to the MITS organization a\n      consistent number of audit reports each year resulting in an average of\n      143 recommendations per year. Based on the distribution of the open corrective\n      actions within the MITS organization, we believe no division is overly burdened with a\n      large number of outstanding corrective actions.\n      While corrective actions are being closed by the MITS organization,1 some of the open\n      corrective actions are not being resolved by the original due dates. All open corrective\n      actions are significant because they address issues with systems security, systems\n\n\n\n\n      1\n        We did not verify whether the actual steps taken to close the corrective actions were adequate to satisfy the\n      recommendations made in the audit reports.\n\x0c                                                           2\n\nmodernization, existing IRS material weaknesses/internal control deficiencies,2 or the\nPresident\xe2\x80\x99s Management Agenda (PMA).3\nAfter we briefed the CIO on our results, the CIO initiated additional actions to improve\nthe timeliness of completing corrective actions and reemphasized to the staff the\nimportance of providing quality, timely responses to TIGTA reports. Therefore, we\nmade no additional recommendations in this report.\nManagement\xe2\x80\x99s Response: Management\xe2\x80\x99s response was due on March 31, 2005. As of\nApril 5, 2005, management had not responded to the draft report.\nCopies of this report are also being sent to the IRS managers affected by the report\nresults. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems\nPrograms), at (202) 622-8510.\n\n\n\n\n2\n  Internal control deficiencies, also known as \xe2\x80\x9creportable conditions,\xe2\x80\x9d are matters that could adversely affect an\norganization\xe2\x80\x99s ability to initiate, record, process, and report financial data consistent with the assertions of\nmanagement in the financial statements.\n3\n  The PMA is an aggressive strategy for improving the management of the Federal Government. It focuses on\ncritical areas of management weaknesses across the Federal Government where improvements and the most\nprogress can be made.\n\x0c The Chief Information Officer Is Taking Steps to Timely Complete Corrective Actions to\n               Treasury Inspector General for Tax Administration Reports\n\n\n\n\n                                             Table of Contents\n\n\nBackground ............................................................................................... Page 1\nThe Modernization and Information Technology Services\nOrganization Is Closing Corrective Actions ............................................... Page 1\nSome Corrective Actions Are Not Being Timely Resolved ........................ Page 3\nOpen Corrective Actions Are Related to Significant Areas........................ Page 4\nAppendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology....................... Page 10\nAppendix II \xe2\x80\x93 Major Contributors to This Report ....................................... Page 11\nAppendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 12\nAppendix IV \xe2\x80\x93 Division of Open Corrective Actions Within\nthe Modernization and Information Technology\nServices Organization ............................................................................... Page 13\nAppendix V \xe2\x80\x93 Security Versus Non-Security Open\nCorrective Actions ..................................................................................... Page 14\nAppendix VI \xe2\x80\x93 Corrective Actions Related to Material\nWeaknesses or Internal Control Deficiencies............................................ Page 15\nAppendix VII \xe2\x80\x93 Corrective Actions Related to the\nPresident\xe2\x80\x99s Management Agenda ............................................................. Page 16\nAppendix VIII \xe2\x80\x93 Categorization of Open Corrective Actions ...................... Page 17\n\x0c  The Chief Information Officer Is Taking Steps to Timely Complete Corrective Actions to\n                Treasury Inspector General for Tax Administration Reports\n\n                                  The Internal Revenue Service (IRS) Modernization and\nBackground\n                                  Information Technology Services (MITS) organization is\n                                  challenged with addressing recommendations made by the\n                                  Treasury Inspector General for Tax Administration\n                                  (TIGTA) and other oversight groups. The MITS\n                                  organization initiates corrective actions and tracks the status\n                                  of those actions in response to oversight recommendations.\n                                  According to the IRS, the Office of Stakeholder\n                                  Management regularly issues aging reports to responsible\n                                  officials assigned the open corrective actions. These reports\n                                  list corrective actions that are due or will be due within\n                                  30, 60, and 90 days. The responsible officials are required\n                                  to respond to the reports by providing status updates on the\n                                  open corrective actions. In addition, as part of the\n                                  MITS organization\xe2\x80\x99s Business Performance Reviews, open\n                                  corrective actions are reviewed and the status is discussed to\n                                  provide oversight and tracking.\n                                  In October 2004, the Chief Information Officer (CIO)\n                                  expressed concerns regarding the number of open corrective\n                                  actions and requested that we perform a review of the MITS\n                                  organization\xe2\x80\x99s open corrective action items. The CIO\n                                  provided a listing of 129 corrective actions open as of the\n                                  beginning of October 2004. As of November 2004,\n                                  101 corrective actions remained open and were analyzed\n                                  during this audit.\n                                  This review was performed in the MITS organization\n                                  offices at the IRS National Headquarters in\n                                  Washington, D.C., during the period November 2004\n                                  through February 2005. The audit was conducted in\n                                  accordance with Government Auditing Standards. Detailed\n                                  information on our audit objective, scope, and methodology\n                                  is presented in Appendix I. Major contributors to the report\n                                  are listed in Appendix II.\n                                  Since Fiscal Year (FY) 2000, we have issued to the MITS\nThe Modernization and\n                                  organization an average of 32 audit reports per year\nInformation Technology\n                                  containing an average of 143 recommendations per year.\nServices Organization Is\n                                  Figure 1 shows the number of audit reports we issued to the\nClosing Corrective Actions\n                                  MITS organization and the corresponding number of\n                                  recommendations.\n\n\n                                                                                          Page 1\n\x0cThe Chief Information Officer Is Taking Steps to Timely Complete Corrective Actions to\n              Treasury Inspector General for Tax Administration Reports\n\n                                 Figure 1: TIGTA Final Reports and Associated Recommendations\n\n\n\n\n                                Source: Data obtained from analyzing historical TIGTA audit reports.\n\n                                The MITS organization responded to these audit\n                                recommendations by initiating and taking measures to\n                                complete corrective actions. For example, all FY 2000\n                                recommendations were closed through the completion of\n                                their assigned corrective actions.1 Only a small percentage\n                                of corrective actions remained open for FYs 2001, 2002,\n                                and 2003. As of November 2004, 101 corrective actions,\n                                resulting from 92 recommendations, remained open. The\n                                majority (67 of 101 or 66 percent) of the open corrective\n                                actions were from FY 2004 audits. Figure 2 shows a\n                                breakdown of open corrective actions by fiscal year.\n\n\n\n\n                                1\n                                  We did not verify whether the actual steps taken to close the corrective\n                                actions were adequate to satisfy the recommendations made in the audit\n                                reports.\n                                                                                                  Page 2\n\x0c  The Chief Information Officer Is Taking Steps to Timely Complete Corrective Actions to\n                Treasury Inspector General for Tax Administration Reports\n\n                                           Figure 2: Open Corrective Actions by Fiscal Year\n\n\n\n\n                                  Source: Data obtained from analyzing the Joint Audit Management\n                                  Enterprise System (JAMES).\n\n                                  Based on the distribution of the open corrective actions\n                                  within the MITS organization, we believe no division is\n                                  overly burdened with a large number of outstanding\n                                  corrective actions. No division has over 20 open corrective\n                                  actions. See Appendix IV for a detailed breakdown of this\n                                  analysis.\n                                  While corrective actions are being closed by the MITS\n                                  organization, we determined some of the open corrective\n                                  actions are not being resolved by their original due dates,\n                                  and open corrective actions relate to critical areas.\n                                  The number of recommendations has been fairly consistent\nSome Corrective Actions Are\n                                  from year to year, and no division within the MITS\nNot Being Timely Resolved\n                                  organization appears to be overly burdened with corrective\n                                  actions. However, some corrective actions are not being\n                                  timely resolved. Of the 101 open corrective actions,\n                                  32 (32 percent) are considered late by an average of\n                                  15 months.\n                                  Figure 3 shows the majority of overdue items are from prior\n                                  fiscal years and if timely closed would reduce the number of\n                                  open corrective actions. Older corrective actions are being\n                                  worked on by the MITS organization; however, it is taking\n                                  longer than expected to complete the corrective actions\n                                                                                              Page 3\n\x0c  The Chief Information Officer Is Taking Steps to Timely Complete Corrective Actions to\n                Treasury Inspector General for Tax Administration Reports\n\n                                  due to the extensive nature of the work required. See\n                                  Appendix V for a listing of open corrective actions and the\n                                  current status of work performed to complete the corrective\n                                  actions.\n                                               Figure 3: Overdue Open Corrective Actions\n\n                                                     Open              Corrective\n                                      Fiscal                                             Average Months\n                                                   Corrective           Actions\n                                      Year                                                  Overdue2\n                                                    Actions             Overdue\n\n                                      2000               0                   0                    0\n\n                                      2001               5                   5                   35\n\n                                      2002              13                   8                   22\n\n                                      2003              16                   8                   12\n\n                                      2004              67                  11                    4\n                                   TOTAL               101                  32                 15.26\n                                  Source: Data obtained from analyzing the JAMES.\n\n                                  Management Actions: After we communicated our\n                                  preliminary audit results to the IRS in December 2004, the\n                                  CIO required all extensions of corrective action due dates to\n                                  be reviewed and approved by the CIO. Since the CIO has\n                                  taken actions to improve the timeliness of completing\n                                  corrective actions, we are making no additional\n                                  recommendations at this time.\n                                  To determine whether all open corrective actions were\nOpen Corrective Actions Are\n                                  related to significant issues, we reviewed each open\nRelated to Significant Areas\n                                  corrective action and classified it into one of the categories\n                                  shown in Figure 4. Based on this analysis, we determined\n                                  all open corrective actions are significant because they\n                                  address issues with systems security, systems\n                                  modernization, existing IRS material weaknesses/internal\n                                  control deficiencies,3 or the President\xe2\x80\x99s Management\n\n\n                                  2\n                                    This is the average number of months overdue as of\n                                  September 29, 2004.\n                                  3\n                                    Internal control deficiencies, also known as \xe2\x80\x9creportable conditions,\xe2\x80\x9d\n                                  are matters that could adversely affect an organization\xe2\x80\x99s ability to\n                                  initiate, record, process, and report financial data consistent with the\n                                  assertions of management in the financial statements.\n                                                                                                      Page 4\n\x0cThe Chief Information Officer Is Taking Steps to Timely Complete Corrective Actions to\n              Treasury Inspector General for Tax Administration Reports\n\n                                Agenda (PMA).4 Some of the corrective actions also\n                                address multiple issues. Appendix VIII provides a detailed\n                                listing of all the prioritized open corrective actions.\n                                            Figure 4: Open Corrective Actions by Category\n\n                                    Category                  Title                        # Of Items\n                                        I      Systems Security Issues                         44\n                                       II      Systems Modernization Issues                    23\n                                               Material Weakness/Internal\n                                       III                                                      26\n                                               Control Deficiency Issues\n                                       IV      PMA Issues                                        8\n                                    Total Corrective Actions                                    101\n                                Source: TIGTA prioritization using information from the JAMES.\n\n                                Category I \xe2\x80\x93 Systems Security Issues\n                                The CIO identified systems security as a major focus area\n                                for FY 2005. We determined 44 open corrective actions\n                                related to systems security. These 44 actions are also\n                                considered IRS material weaknesses and relate to a PMA\n                                critical area. Examples of TIGTA recommendations\n                                generating the systems security open corrective actions are:\n                                \xe2\x80\xa2     ****7****------------------------------------------------------\n                                      --------------------------------------------------------------------\n                                      -------.5\n                                \xe2\x80\xa2     ****7****------------------------------------------------------\n                                      --------------------------------------------------------------------\n                                      -------.6\n                                See Appendix V for a detailed breakdown of systems\n                                security versus nonsystems security corrective actions.\n\n\n\n\n                                4\n                                  The PMA is an aggressive strategy for improving the management of\n                                the Federal Government. It focuses on critical areas of management\n                                weaknesses across the Federal Government where improvements and\n                                the most progress can be made.\n                                5\n                                  The Security of the Integrated Collection System Needs to Be\n                                Strengthened (Reference Number 2003-20-119, dated May 2003).\n                                6\n                                  Penetration Test of Internal Revenue Service Computer Systems\n                                (Reference Number 2003-20-082, dated March 2003).\n                                                                                                  Page 5\n\x0cThe Chief Information Officer Is Taking Steps to Timely Complete Corrective Actions to\n              Treasury Inspector General for Tax Administration Reports\n\n                                Category II \xe2\x80\x93 Systems Modernization Issues\n                                Since its inception in FY 2000, the TIGTA has identified\n                                the IRS\xe2\x80\x99 systems modernization effort as a major\n                                management weakness. In addition, the Government\n                                Accountability Office has designated the modernization\n                                program as high risk, in part because of its size, complexity,\n                                and immense importance to improving mission performance\n                                and accountability. We determined 23 open corrective\n                                actions related to systems modernization. These actions are\n                                also considered IRS material weaknesses and relate to PMA\n                                critical areas. Examples of TIGTA recommendations\n                                generating the systems modernization open corrective\n                                actions are:\n                                \xe2\x80\xa2   To help provide clear direction in the development of\n                                    the Business Systems Modernization (BSM) program,\n                                    the CIO should determine whether and how the BSM\n                                    Office will fulfill the BSM program integrator role and\n                                    document the related responsibilities and processes.7\n                                \xe2\x80\xa2   To more clearly define the Computer Sciences\n                                    Corporation\xe2\x80\x99s (CSC)8 responsibility to fully document\n                                    the business requirements prior to beginning system\n                                    development, the CIO should require the BSM Office to\n                                    conduct an analysis of future change requests to\n                                    determine whether the change should have been part of\n                                    the contractor\xe2\x80\x99s normal requirements gathering. Task\n                                    orders to define business requirements should be written\n                                    to hold the CSC responsible for making such changes at\n                                    no additional cost to the IRS.9\n\n\n\n\n                                7\n                                  The Office of Release Management Can Improve Controls for\n                                Modernization Program Coordination (Reference Number\n                                2004-20-157, dated September 2004).\n                                8\n                                  To facilitate the success of its modernization efforts, the IRS hired the\n                                CSC as the PRIME contractor and integrator for the BSM program.\n                                9\n                                  Oversight of the Business Systems Modernization Contractor Needs\n                                Improvement (Reference Number 2004-20-034, dated January 2004).\n                                                                                                    Page 6\n\x0cThe Chief Information Officer Is Taking Steps to Timely Complete Corrective Actions to\n              Treasury Inspector General for Tax Administration Reports\n\n                                Category III \xe2\x80\x93 IRS Material Weakness and Internal Control\n                                Deficiency Issues\n                                The IRS is required by the Federal Managers Financial\n                                Integrity Act of 1982 (FMFIA)10 to report and effectively\n                                correct outstanding material weaknesses and internal control\n                                deficiencies through implementing recommendations made\n                                by the TIGTA and other oversight agencies. We determined\n                                26 corrective actions related to an IRS material weakness\n                                and were not included as Category I and II actions.\n                                Examples of TIGTA recommendations generating the\n                                material weakness and internal control deficiency open\n                                corrective actions are:\n                                \xe2\x80\xa2    The CIO should ensure service is immediately\n                                     discontinued for cellular telephones that have not been\n                                     registered in the national database.11\n                                \xe2\x80\xa2    The CIO should ensure a complete inventory of phone\n                                     cards is established, prior to migrating the inventory\n                                     management and billing function to the\n                                     Telecommunications Asset Tool (TAT)12 system, and\n                                     annual phone card inventories are completed on a\n                                     consistent basis.13\n                                See Appendix VI for the analysis of open corrective actions\n                                relating to the IRS material weaknesses and internal control\n                                deficiencies.\n                                Category IV \xe2\x80\x93 PMA Issues\n                                Since the inception of the PMA in July 2001, we have made\n                                recommendations to make improvements to meet the PMA\n\n\n                                10\n                                   31 U.S.C. \xc2\xa7\xc2\xa7 1105, 1113, 3512 (2000). The FMFIA requires\n                                ongoing evaluations and reports of the adequacy of systems on internal\n                                accounting and administrative control of each executive agency.\n                                11\n                                   Telecommunications Costs Controls Have Not Been Effectively\n                                Implemented and Should Continue to Be Improved and Monitored\n                                (Reference Number 2004-20-156, dated September 2004).\n                                12\n                                   The TAT system is a web-based telecommunications resource\n                                management system designed to allow local and national offices to\n                                initiate, process, approve, review, and manage telecommunications\n                                resources to identify potential waste, fraud, and abuse.\n                                13\n                                   Telecommunications Costs Controls Have Not Been Effectively\n                                Implemented and Should Continue to Be Improved and Monitored\n                                (Reference Number 2004-20-156, dated September 2004).\n                                                                                               Page 7\n\x0cThe Chief Information Officer Is Taking Steps to Timely Complete Corrective Actions to\n              Treasury Inspector General for Tax Administration Reports\n\n                                goals. We determined eight corrective actions related to a\n                                PMA critical area but were not included in\n                                Categories I through III. Examples of TIGTA\n                                recommendations generating the PMA open corrective\n                                actions are:\n                                \xe2\x80\xa2    To ensure the MITS organization has adequate staffing\n                                     to meet its needs, the CIO should charge the Director,\n                                     Management Services, to develop detailed hiring and\n                                     retention plans.14\n                                \xe2\x80\xa2    The CIO should ensure a centralized, multifunctional\n                                     investment review process is established and\n                                     documented for the selection, funding, and monitoring\n                                     of all IRS information technology investments.15\n                                See Appendix VII for the analysis of open corrective actions\n                                relating to the PMA.\n                                Management Actions: After we met with the CIO to\n                                communicate our interim results, the CIO met with other\n                                high-level IRS executives to determine how to prioritize the\n                                corrective actions. The CIO also provided our results to\n                                approximately 20 leadership team members during an all\n                                day senior leadership team meeting and reemphasized the\n                                importance of delivering quality, timely responses to the\n                                TIGTA. Because the CIO has taken actions to prioritize\n                                corrective actions, we are making no additional\n                                recommendations at this time.\n\n\n\n\n                                14\n                                   The Modernization, Information Technology and Security Services\n                                Organization Needs to Take Further Action to Complete Its Human\n                                Capital Strategy (Reference Number 2003-20-209, dated\n                                September 2003).\n                                15\n                                   The Selection, Monitoring, and Management of Systems Improvement\n                                Projects, Such as the Print Consolidation Project, Need Modification\n                                (Reference Number 2002-20-138, dated August 2002).\n\n\n\n\n                                                                                             Page 8\n\x0cThe Chief Information Officer Is Taking Steps to Timely Complete Corrective Actions to\n              Treasury Inspector General for Tax Administration Reports\n\n                                Management\xe2\x80\x99s Response: Management\xe2\x80\x99s response was due\n                                on March 31, 2005. As of April 5, 2005, management had\n                                not responded to the draft report.\n\n\n                                .\n\n\n\n\n                                                                                  Page 9\n\x0c     The Chief Information Officer Is Taking Steps to Timely Complete Corrective Actions to\n                   Treasury Inspector General for Tax Administration Reports\n\n                                                                                                        Appendix I\n\n\n                           Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine whether the Internal Revenue Service\n(IRS) is efficiently addressing open corrective actions resulting from Treasury Inspector General\nfor Tax Administration audit recommendations. To achieve this objective, we determined\nwhether the open corrective actions were categorized to provide for an efficient method of\nresolution. We:\nI.        Reviewed all open corrective actions to determine:\n          A. The number of months each corrective action had been overdue.\n          B. The percentage of corrective actions having missed the original due dates and the\n             average amount of time these actions were overdue.\nII.       Reviewed all of the open corrective actions and determined whether they were aligned\n          with a broader program.\n          A. Determined whether any open corrective actions related to any IRS material\n             weaknesses or internal control deficiencies.1\n          B. Determined whether any open corrective actions were aligned with the President\xe2\x80\x99s\n             Management Agenda (PMA).2\nIII.      Determined the distribution of open corrective actions within the Modernization and\n          Information Technology Services (MITS) organization.\n          A. Identified the responsible official for each corrective item.\n          B. Analyzed the workload of assigned corrective actions to the identified manager\n             within the MITS organization.\n\n\n\n\n1\n  Internal control deficiencies, also known as \xe2\x80\x9creportable conditions,\xe2\x80\x9d are matters that could adversely affect an\norganization\xe2\x80\x99s ability to initiate, record, process, and report financial data consistent with the assertions of\nmanagement in the financial statements.\n2\n  The PMA is an aggressive strategy for improving the management of the Federal Government. It focuses on\ncritical areas of management weaknesses across the Federal Government where improvements and the most\nprogress can be made.\n                                                                                                              Page 10\n\x0c The Chief Information Officer Is Taking Steps to Timely Complete Corrective Actions to\n               Treasury Inspector General for Tax Administration Reports\n\n                                                                                Appendix II\n\n\n                           Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nGary V. Hinkle, Director\nTroy D. Paterson, Audit Manager\nPhung H. Nguyen, Lead Auditor\nTina Wong, Senior Auditor\nSteven W. Gibson, Auditor\n\n\n\n\n                                                                                         Page 11\n\x0c The Chief Information Officer Is Taking Steps to Timely Complete Corrective Actions to\n               Treasury Inspector General for Tax Administration Reports\n\n                                                                            Appendix III\n\n\n                                Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nAssociate Chief Information Officer, Business Systems Modernization OS:CIO:B\nAssociate Chief Information Officer, Enterprise Services OS:CIO:ES\nAssociate Chief Information Officer, Information Technology Services OS:CIO:I\nAssociate Chief Information Officer, Management OS:CIO:M\nDirector, Stakeholder Management OS:CIO:SM\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Management Controls OS:CFO:AR:M\nAudit Liaisons:\n       Associate Chief Information Officer, Business Systems Modernization OS:CIO:B\n       Manager, Program Oversight Office OS:CIO:SM:PO\n\n\n\n\n                                                                                  Page 12\n\x0c  The Chief Information Officer Is Taking Steps to Timely Complete Corrective Actions to\n                Treasury Inspector General for Tax Administration Reports\n\n                                                                                           Appendix IV\n\n\n                  Division of Open Corrective Actions Within the\n          Modernization and Information Technology Services Organization\n\nThe 101 open corrective actions we reviewed were divided among 11 different divisions within\nthe Modernization and Information Technology Services organization.\n\n                        Figure 1: Open Corrective Actions by Responsible Official\n\n\n\n\nSource: Data obtained from analyzing the Joint Audit Management Enterprise System. NOTE: Percentages do not\ntotal 100 percent due to rounding.\n\n\n\n\n                                                                                                   Page 13\n\x0c  The Chief Information Officer Is Taking Steps to Timely Complete Corrective Actions to\n                Treasury Inspector General for Tax Administration Reports\n\n                                                                                       Appendix V\n\n\n                  Security Versus Non-Security Open Corrective Actions\n\nThe 101 open corrective actions we reviewed can be broken down between systems security and\nnonsystems security-related actions. In addition, we performed a detailed review of each open\ncorrective action to determine and group similar items into specific categories. These categories\nshow the status of work performed and other actions required of the Modernization and\nInformation Technology Services organization to close out the corrective actions.\n                      Figure 1: Security Versus Non-Security Open Corrective Actions\n\n\n\n\nSource: Data obtained from analyzing the Joint Audit Management Enterprise System.\n\n\n\n\n                                                                                           Page 14\n\x0c    The Chief Information Officer Is Taking Steps to Timely Complete Corrective Actions to\n                  Treasury Inspector General for Tax Administration Reports\n\n                                                                                                     Appendix VI\n\n\n                    Corrective Actions Related to Material Weaknesses or\n                                Internal Control Deficiencies\n\nWe analyzed all 101 open corrective actions to determine whether they related to specific\nInternal Revenue Service (IRS) material weaknesses or internal control deficiencies.1 Of the\n101 open corrective actions, 93 relate to either a material weakness or an internal control\ndeficiency. See Appendix VIII for details on the open corrective actions that relate to an IRS\nmaterial weakness or internal control but are not related to systems security or systems\nmodernization.\n         Figure 1: Open Corrective Actions Related to Material Weaknesses or Internal Control Deficiencies\n\n\n\n\nSource: Data obtained from analyzing the Joint Audit Management Enterprise System.\n\n\n\n\n1\n Internal control deficiencies, also known as \xe2\x80\x9creportable conditions,\xe2\x80\x9d are matters that could adversely affect an\norganization\xe2\x80\x99s ability to initiate, record, process, and report financial data consistent with the assertions of\nmanagement in the financial statements.\n\n\n\n\n                                                                                                             Page 15\n\x0c    The Chief Information Officer Is Taking Steps to Timely Complete Corrective Actions to\n                  Treasury Inspector General for Tax Administration Reports\n\n                                                                                                     Appendix VII\n\n\n\n           Corrective Actions Related to the President\xe2\x80\x99s Management Agenda\n\nWe analyzed all 101 open corrective actions and determined they all relate to a specific\nPresident\xe2\x80\x99s Management Agenda (PMA) item.1 Of the 101 open corrective actions, only 8 do\nnot relate to systems security, systems modernization, or a material weakness/internal control\ndeficiency.2 See Appendix VIII for details on the open corrective actions that relate to a PMA\nitem but are not related to systems security, systems modernization, or a material\nweakness/internal control deficiency.\n                  Figure 1: Open Corrective Actions Related to the President\xe2\x80\x99s Management Agenda\n\n\n\n\nSource: Data obtained from analyzing the Joint Audit Management Enterprise System.\n\n\n\n\n1\n  The PMA is an aggressive strategy for improving the management of the Federal Government. It focuses on\ncritical areas of management weaknesses across the Federal Government where improvements and the most\nprogress can be made.\n2\n  Internal control deficiencies, also known as \xe2\x80\x9creportable conditions,\xe2\x80\x9d are matters that could adversely affect an\norganization\xe2\x80\x99s ability to initiate, record, process, and report financial data consistent with the assertions of\nmanagement in the financial statements.\n                                                                                                              Page 16\n\x0c    The Chief Information Officer Is Taking Steps to Timely Complete Corrective Actions to\n                  Treasury Inspector General for Tax Administration Reports\n\n                                                                                                   Appendix VIII\n\n\n                              Categorization of Open Corrective Actions\n\nWe analyzed all 101 open corrective actions and classified them into 4 specific categories based\nupon their relationship to systems security, systems modernization, existing Internal Revenue\nService (IRS) material weaknesses/internal control deficiencies,1 and the President\xe2\x80\x99s\nManagement Agenda (PMA).2 Table 1 lists the open corrective action according to the format\nused by the IRS.3\n                                Table 1: Categorization of Open Corrective Actions\n                           Category I \xe2\x80\x93 44 Corrective Actions Related to Systems Security\n    2004-20-142/1/1/1      2004-20-131/1/2/2     2004-20-073/3/1/1     2003-20-119/1/1/3         2002-20-075/1/1/2\n    2004-20-142/1/2/1      2004-20-131/2/4/1     2004-20-073/3/1/2     2003-20-119/1/4/3         2002-20-075/1/1/3\n    2004-20-142/2/1/3      2004-20-126/1/1/1     2004-20-063/3/1/1     2003-20-118/2/2/1         2002-20-075/1/1/4\n    2004-20-142/2/1/4      2004-20-126/1/2/1     2004-20-063/2/1/1     2003-20-118/1/5/1         2002-20-075/1/2/1\n    2004-20-142/2/2/1      2004-20-126/1/3/1     2004-20-053/1/1/1     2003-20-118/2/2/2         2002-20-075/5/2/1\n    2004-20-142/2/2/2      2004-20-079/1/3/1     2004-20-053/1/2/2     2003-20-082/5/1/1         2002-20-007/3/1/1\n    2004-20-142/2/3/2      2004-20-079/2/1/1     2004-20-053/1/3/1     2003-20-082/6/1/1         2001-20-043/1/1/1\n    2004-20-135/1/1/1      2004-20-079/3/1/1     2004-20-053/1/5/1     2003-20-056/2/1/1         2001-20-043/1/2/1\n    2004-20-131/1/2/1      2004-20-073/2/1/1     2004-20-053/2/1/1     2002-20-145/1/1/1\n\n                        Category II - 23 Corrective Actions Related to Systems Modernization\n    2004-20-157/3/1/1      2004-20-061/3/1/1      2004-20-026/1/1/2     2004-40-110/1/2/1    2003-20-219/1/4/1\n    2004-20-157/2/1/1      2004-20-034/1/2/1      2004-20-026/1/1/1     2004-40-013/1/2/1    2001-20-152/1/1/1\n    2004-20-157/1/1/1      2004-20-034/2/1/1      2004-20-001/2/1/1     2004-40-013/1/3/1    2001-20-152/1/2/1\n    2004-20-147/2/4/1      2004-20-034/2/2/1      2004-40-110/1/1/1     2004-30-023/1/3/3\n    2004-20-147/2/3/1      2004-20-026/1/2/1      2004-40-110/1/1/2     2004-30-023/1/5/1\n\n\n\n\n1\n  Internal control deficiencies, also known as \xe2\x80\x9creportable conditions,\xe2\x80\x9d are matters that could adversely affect an\norganization\xe2\x80\x99s ability to initiate, record, process, and report financial data consistent with the assertions of\nmanagement in the financial statements.\n2\n  The PMA is an aggressive strategy for improving the management of the Federal Government. It focuses on\ncritical areas of management weaknesses across the Federal Government where improvements and the most\nprogress can be made.\n3\n  The first nine digits (XXX-XX-XX) are the Treasury Inspector General for Tax Administration (TIGTA) audit\nreport number. The next three digits (/X/X/X) correspond to the finding number, recommendation number, and\ncorrective action number. Audit reports and management responses can be found on the TIGTA web site:\nhttp://www.treas.gov/tigta/oa_auditreports.shtml.\n                                                                                                             Page 17\n\x0c The Chief Information Officer Is Taking Steps to Timely Complete Corrective Actions to\n               Treasury Inspector General for Tax Administration Reports\n\n  Category III - 26 Corrective Actions Related to an IRS Material Weakness/Internal Control Deficiency\n 2002-20-043/2/1/1    2003-40-165/4/1/1     2004-20-041/3/2/1     2004-20-156/2/3/1   2004-20-156/4/1/1\n 2002-20-043/2/2/1    2004-20-041/1/1/1     2004-20-041/3/3/1     2004-20-156/2/4/1   2004-20-156/4/2/1\n 2002-20-100/1/1/1    2004-20-041/1/2/1     2004-20-156/1/1/1     2004-20-156/2/5/1   2004-20-156/4/3/1\n 2002-20-100/1/2/1    2004-20-041/1/3/1     2004-20-156/2/1/1     2004-20-156/3/1/1   2004-20-156/5/1/1\n 2003-40-092/1/1/1    2004-20-041/2/1/1     2004-20-156/2/2/1     2004-20-156/3/3/1   2004-20-156/5/2/1\n                                                                                      2004-30-055/2/1/1\n\n             Category IV - 8 Corrective Actions Related to the President\xe2\x80\x99s Management Agenda\n  2003-20-209/2/1/1     2003-20-035/1/1/1      2003-20-035/2/3/1    2002-20-138/1/2/1\n  2003-20-117/1/2/1     2003-20-035/1/2/1      2002-20-138/1/1/1    2001-20-004/1/1/1\nSource: Data obtained from analyzing the Joint Audit Management Enterprise System.\n\n\n\n\n                                                                                                Page 18\n\x0c'